DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48167: CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry

#security #cve #cybersecurity

CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry

Vulnerability ID: CVE-2026-48167
CVSS Score: 6.4
Published: 2026-06-23

Filament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).

TL;DR

An HTML attribute injection vulnerability in Filament v4.x and v5.x allows authenticated users with database write privileges to inject arbitrary JavaScript payloads into image components, executing code in the security context of administrators viewing the record.

Technical Details

  • CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
  • Attack Vector: Network / Low Privileges Required
  • CVSS v3.1 Score: 6.4
  • EPSS Score: 0.00148 (0.15% probability)
  • Impact: Stored Cross-Site Scripting (XSS)
  • Exploit Status: No active public exploits

Affected Systems

  • Laravel applications implementing Filament tables with ImageColumn components
  • Laravel applications implementing Filament infolists with ImageEntry components
  • filament/tables: >= 4.0.0, < 4.11.5 (Fixed in: 4.11.5)
  • filament/tables: >= 5.0.0, < 5.6.5 (Fixed in: 5.6.5)
  • filament/infolists: >= 4.0.0, < 4.11.5 (Fixed in: 4.11.5)
  • filament/infolists: >= 5.0.0, < 5.6.5 (Fixed in: 5.6.5)

Code Analysis

Commit: e1f36a7

security: Escape ImageColumn and ImageEntry URLs (#19885)

Mitigation Strategies

  • Upgrade to patched upstream library versions
  • Verify and audit published local Blade template overrides
  • Enforce standard Content Security Policy (CSP) configurations restricting inline script executions
  • Validate user-provided image URLs prior to database persistence

Remediation Steps:

  1. Run 'composer update filament/filament' in your terminal.
  2. Ensure package composer.json references >=4.11.5 or >=5.6.5.
  3. Inspect files in 'resources/views/vendor/filament' for raw unescaped output references.
  4. Query databases for potentially dangerous string entries inside columns rendered by ImageColumn components.

References

Read the full report for CVE-2026-48167 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)